An Audit Report on Financial and Operational Processes at ... · Financial and Operational Processes at Midwestern State University SAO Report No. 12-044 iv . Auditors determined

John Keel, CPA State Auditor

An Audit Report on

Financial and Operational Processes at Midwestern State University July 2012 Report No. 12-044

An Audit Report on

Financial and Operational Processes at Midwestern State University

SAO Report No. 12-044 July 2012

This audit was conducted in accordance with Texas Government Code, Sections 321.0131 and 321.0132.

For more information regarding this report, please contact Verma Elliott, Audit Manager, or John Keel, State Auditor, at (512) 936-9500.

Overall Conclusion

Midwestern State University (University) has generally implemented controls over its financial and administrative processes, but it should make improvements in certain areas. Auditors determined that the University:

Should improve controls over its purchasing, contracting, and procurement card processes.

Had adequate controls over donations, financial reporting, and assets, but it should improve certain aspects of controls in those areas.

Had adequate controls over payroll.

Had adequate controls to protect data in the information systems tested, but it should make certain improvements in areas such as physical security, data backups, and user access.

Key Points

The University should improve controls over purchasing.

The University generally had adequate controls over its purchasing process; however, it did not consistently follow its policies and procedures related to requirements for submitting purchase requisitions. In addition, the University overrode its accounting system control that prevented purchase orders from being processed on accounts that did not have sufficient funds, and it did not maintain associated explanatory documentation.

The University did not consistently follow its policies and procedures for contract vendor selection, and review and approval of contracts and change orders.

For 18 (60 percent) of the 30 contracts tested for which the University received multiple bids from vendors, the University did not maintain required documentation showing how it considered the selection criteria specified in the proposals, bids, or quotes.

Background Information

Located in Wichita Falls, Texas, Midwestern State University (University) has seven colleges: business administration, education, fine arts, humanities and social sciences, science and mathematics, health sciences and human services, and graduate studies. The University offers associate’s, bachelor’s, and master’s degrees.

According to information from the Higher Education Coordinating Board, the University enrolled 5,811 students for the Fall 2011 semester, which was a decrease from the 6,133 students enrolled in the Fall 2010 semester.

The University reported $83,918,910 in total operating expenses for fiscal year 2011.

An Audit Report on Financial and Operational Processes at Midwestern State University

SAO Report No. 12-044

ii

Sixteen (46 percent) of 35 contracts tested that the University had finalized did not have documentation indicating that the contracts were properly signed, reviewed, or authorized (another contract tested was still in negotiations). Those 16 contracts ranged from $15,000 to $2,217,897. In addition, 13 (36 percent) of the 36 contracts tested had change orders; however, the University’s vice president of business affairs and finance did not approve the contract change orders as required by policy.

The University should improve its monitoring of procurement card purchases to help ensure that cardholders comply with single purchase limits.

The University had adequate controls to help ensure that authorized users made procurement card purchases, cardholders’ supervisors reviewed those purchases, those purchases were supported by a receipt or an invoice, and the University coded those purchases correctly in its accounting system. However, for 30 (25 percent) of 119 procurement card purchases that auditors tested, it appeared that the cardholder split a purchase into multiple purchases to circumvent single purchase limits. Those 30 purchases totaled $24,953.

The University had controls to help ensure that financial information was accurate, complete, reliable, and timely, but it should improve certain controls.

The University disbursed scholarship funds and distributed funds donated to its annual fund in accordance with donors’ intentions. However, it did not consistently deposit or record donations or gifts-in-kind correctly in its accounting system, and it should strengthen certain controls over its donations tracking system.

The University generally had appropriate controls to help ensure that it reported selected accounts correctly on its fiscal year 2011 annual financial report. However, it did not (1) make corrections to address discrepancies identified through its monthly account reconciliations in a timely manner, (2) consistently obtain signatures on journal entries to ensure proper segregation of duties, and (3) obtain required approvals on budget transfer requests.

The University had controls to help ensure that it processed payroll accurately and appropriately, and reported payroll expenditures accurately on its fiscal year 2011 annual financial report.

The University had controls to safeguard assets, but it should improve certain controls over accounting for assets.

The University generally maintained correct information related to property tags, asset location, and asset category in the State Property Accounting system for the assets that auditors tested. Additionally, the University accurately valued and reported its construction in progress and its capital assets for fiscal year 2011. However, the University:



iii

Did not segregate the duties of maintaining property, conducting inventory, and updating the State Property Accounting system.

Did not maintain documentation sufficient to support (1) the asset values in the State Property Accounting system for five assets that totaled $2,271,941 and (2) the property numbers, asset descriptions, in-service dates, or acquisition methods in the State Property Accounting system for four assets that totaled $1,816,941.

Did not record two donated sculptures valued at a total of $22,000 in the State Property Accounting system.

The University had adequate controls to protect data in the information systems that auditors tested, but it should improve certain controls over physical access, data backups, and user access.

The University had adequate controls to protect data in the information systems that auditors tested from unauthorized alteration or improper use. However, it should improve physical controls for its computer server room and storage of data backups, ensure that its disaster recovery plan is complete and up to date, and develop written procedures on how user access reviews should be performed for its accounting system.

Summary of Management’s Response

The University agreed with the recommendations in this report.

Summary of Information Technology Review

Auditors performed a limited review of general and application controls over (1) the University’s accounting system; (2) the University’s donations tracking system; and (3) the State Property Accounting system, which the University uses as its inventory system.

The University had adequate controls over it accounting system to protect data from unauthorized alteration or improper use. However, the University should strengthen its controls for the computer server room, storage of data backups, disaster recovery plan, and procedures for its periodic reviews of user access to its accounting system.

For its donations tracking system, the University should improve segregation of duties, administrator-level access controls, documentation of its user access reviews, the use of generic user IDs, and the designation of backup personnel.

The University had user access controls over the State Property Accounting system to limit high-level access to appropriate personnel; however, it had not designated a backup individual for that system.



iv

Auditors determined that the data in the University’s accounting system, the University’s donations tracking system, and the State Property Accounting system was sufficiently reliable for the purposes of this audit.

Summary of Objective, Scope, and Methodology

The objective of this audit was to evaluate selected financial processes to determine whether the University has implemented a system of financial and administrative internal controls, and consider whether:

Accounting procedures and controls provide assurance of accurate, complete, reliable, and timely information.

Security controls within the University’s financial system provide assurance that critical data is protected from unauthorized alteration, loss, or improper use.

Controls are adequate and effective to provide reasonable assurance that assets are safeguarded.

The University complies with applicable laws and regulations.

The scope of this audit covered activities related to accounts payable, contracting, purchasing, procurement cards, assets, financial reporting, gifts and donations, and payroll and the related information systems between September 1, 2010, and December 31, 2011.

The audit methodology included collecting and reviewing information from the University’s accounting system and donations tracking system and the State Property Accounting system, conducting interviews with University staff, and reviewing University policies and procedures and applicable state and federal requirements. Specifically, auditors reviewed processes and controls related to accounts payable, contracting, purchasing, procurement cards, assets, financial reporting, gifts and donations, and payroll. As discussed above, auditors assessed the reliability of the University’s accounting system and donations tracking system and the State Property Accounting system and determined that the data from those systems was sufficiently reliable for the purposes of this audit.

Auditors also communicated other, less significant issues to the University separately in writing.

Contents

Detailed Results

Chapter 1 The University Should Improve Controls Over Its Purchasing, Contracting, and Procurement Card Processes ............................................................... 1

Chapter 2 The University Had Controls to Help Ensure That Financial Information Was Accurate, Complete, Reliable, and Timely, But It Should Improve Controls Over Donations and Financial Reporting ......................... 11

Chapter 3 The University Had Controls to Safeguard Assets, But It Should Improve Certain Controls Over Accounting for Assets ................................................................. 21

Chapter 4 The University Had Adequate Controls to Protect Data in Information Systems, But It Should Improve Certain Controls Over Physical Access, Data Backups, and User Access ................................................................. 26

Appendix

Objective, Scope, and Methodology .............................. 29

An Audit Report on Financial and Operational Processes at Midwestern State University SAO Report No. 12-044

July 2012 Page 1

Detailed Results

Chapter 1

The University Should Improve Controls Over Its Purchasing, Contracting, and Procurement Card Processes

Midwestern State University (University) generally had adequate controls over its purchasing process; however, it did not consistently follow its purchasing policies and procedures related to (1) requirements for purchase requisitions and (2) situations in which accounts have insufficient funds to process purchase orders.

The University also did not consistently follow its policies and procedures for vendor selection, contract advertising, and review and approval of contracts and change orders. The University generally had adequate controls over its procurement card process; however, it should improve its monitoring of procurement card purchases related to identifying split purchases and purchases that the University must competitively bid.

Chapter 1-A

The University Should Improve Controls Over Its Purchasing Processes

The University generally had adequate controls over its purchasing process to help ensure that:

Authorized staff completed and approved purchase requisitions.

The University coded purchases correctly in its accounting system.

The University generally followed proper bidding processes; however, auditors identified certain bidding issues related to contracting and procurement cards that are discussed in Chapters 1-B and 1-C.

The University approved purchase orders properly.

The University properly received goods and services purchased.

The University properly approved invoices for payment.

However, the University did not consistently follow its purchasing policies and procedures. The purchasing department issued purchase orders for unauthorized purchases that required purchase requisitions and for purchases on accounts that did not have sufficient funds.

Auditors tested a sample of 52 purchase orders totaling $1,696,413 that were processed from September 1, 2010, through December 31, 2011. Results of that testing are discussed below.


July 2012 Page 2

Purchases That Required Purchase Requisitions

The University departments did not always properly complete purchase requisitions and send them to the purchasing department for processing (see text

box for information about the purchasing process). Individual departments within the University did not follow the purchasing policies and procedures for 5 (10 percent) of the 52 purchases tested. Those five purchases exceeded the individual University departments’ authorization limits and should have been processed by the purchasing department per the University’s policies; however, the individual University departments made those five purchases directly. Those five purchases ranged from $6,250 to $14,310 and totaled $49,060. In those five instances, departments created purchase requisitions after they had purchased goods, received services, or signed contracts. Although the departments did not have the authority to make those purchases without going through the purchasing department, the purchasing department processed the departments’ requisitions and issued purchase orders without holding the departments accountable.

The University’s purchasing manual states that the departments must complete purchase requisitions for purchases that exceed $2,000, unless the departments have obtained prior authorization to make the purchases directly. The manual also states that any purchase not made in accordance with policies and procedures will be considered unauthorized, and that the individual responsible for initiating the unauthorized purchase will be held personally accountable until the transaction is resolved.

However, the documentation for the five purchases discussed above did not include evidence that the University held the departments accountable.

Insufficient Funds Overrides

The University overrode its accounting system control that prevents purchase orders from being issued on accounts that do not have sufficient funds, and it did not maintain associated explanatory documentation. When a purchase order is issued in the University’s accounting system, the accounting system obligates funds for that purchase. If sufficient funds are not available in the accounting system account(s) against which a purchase order is processed, the accounting system generates an insufficient funds message. However, the director of purchasing can override that message and allow a purchase order to be issued on that account.

For 11 (21 percent) of 52 purchase orders tested, the director of purchasing had overridden the insufficient funds message. For 9 (82 percent) of those 11 purchase orders, the University did not document why the override was necessary. Those 9 purchase orders totaled $950,095, and the vendors subsequently billed

Purchasing Process

The University’s purchasing process is as follows:

A department completes a purchase requisition in the accounting system and prints the requisition to obtain approval signatures from the department budget head and supervisor.

The department forwards the hard-copy, approved purchase requisition to the purchasing department, which conducts the bidding process. A purchaser prepares a purchase order in the accounting system using information from the requisition. The director of purchasing signs a hard-copy purchase order, and the purchaser places the order with the vendor.

The purchasing department receives an invoice from the vendor and verifies that it matches the purchase order and the receiving report. The purchasing department then forwards the hard-copies of all documentation to the business office.

The business office uses the hard-copy documentation to create an invoice in the accounting system, prints out payable reports to review for accuracy, and initials invoices. After the invoice is approved, it is processed for payment.

Source: Auditors’ observations of the purchasing process.


July 2012 Page 3

the University for the goods and services associated with those purchase orders through 18 invoices. While there were insufficient funds to cover the 9 purchase orders at the time they were processed, 14 (78 percent) of the 18 invoices that resulted from those purchase orders had sufficient funds at the time that payments were made (because the University had made budget transfers after it processed the purchase orders and before it processed the associated invoices for payment). The University performed budget transfers to cover the accounting system accounts with insufficient funds to pay for the remaining 4 (22 percent) of the 18 invoices that resulted from those purchase orders. Those four invoices totaled $63,287.

One of the purchases with an unexplained override of the insufficient funds message was to purchase a utility vehicle for the University’s police department. The University also did not follow its purchasing policies related to the types of funds to use and sole-source requirements for that transaction. Specifically:

The University used funds from its print shop account, rather than its police department account, to make the purchase. The University’s purchasing manual and accounting system fund listing categorized the account type used for this purchase as “designated,” and the University did not use the funds for the designated purpose.

The University purchased the utility vehicle through a sole-source purchase, instead of procuring the utility vehicle through competitive bidding. However, the University’s documentation did not justify why competing products were not satisfactory. The University’s purchasing manual states that sole-source purchases should be unique to one vendor and that justification must include the reason(s) that competing products are not satisfactory.

The University does not have policies and procedures related to (1) overriding controls in its accounting system when issuing purchase orders or (2) documenting an explanation for overrides.

Recommendations

The University should:

Comply with its policies and procedures to:

Make purchases through its purchasing department, rather than through individual departments, when required.

Make purchases using the correct type of funds.

Make appropriate sole-source purchases.


July 2012 Page 4

Develop and implement a policy regarding overriding controls in its accounting system when issuing purchase orders and documenting an explanation for overrides.

Management’s Response

The administration will improve its purchasing processes. One means will be to install a software program requiring the name and position of anyone initiating a purchase order and the signature of various persons required in authorization process. The software is scheduled for implementation in FY 2013.

Policies and procedures related to reducing insufficient funds overrides also are being developed and implemented. The administration notes that in instances in which the Business Office acted on the basis of telephone communication from the head of a budgetary unit, typically the budgetary head requested transferring funds from one line in an account to another line in the same account. Authorized purchases made at the beginning of a new fiscal year and dependent upon the use of carryover funds from the previous year contributed to the number of override requests. Sometimes full funding of accounts for a new fiscal year is not complete until 45 days after the close of the succeeding fiscal year. In the future, all transfers must be confirmed in writing. The matter also will be addressed in a revision of the university’s fiscal policy.

With regard to funds generated by the Print Shop and used in purchasing a vehicle for the campus police, the administration agrees that a budget transfer should have been executed before the purchase was authorized. The administration notes, however, that the use of the funds in this instance was permissible since the Print Shop is a designated university service department delivering goods and services to all areas of the university. Accordingly, the administration may distribute revenue generated by the Print Shop beyond the cost of its operation to other areas of the university.

The university’s Purchasing Department will

provide appropriate training of university personnel and inform university departments of the importance of following purchasing procedures,

notify departments not following standard purchasing procedures of the infraction(s) and require corrective action, and

notify the vice president responsible for an area in which a department repeatedly violates university purchasing procedures and request corrective action.


July 2012 Page 5

Implementation Dates: Train university employees – ongoing Develop and implement policy regarding overriding controls in the university’s accounting system – August 2012

Responsible Persons: Vice President for Business Affairs and Finance Controller Director of Purchasing

Chapter 1-B

The University Should Improve Controls Over Its Contracting Processes

The University did not consistently follow its policies and procedures for vendor selection, contract advertising, and review and approval of contracts and change orders. Auditors tested 36 contracts totaling $7,737,570 that were in effect or that the University initiated from September 1, 2010, through December 31, 2011. Examples of those contracts included construction projects, building renovations and repairs, and medical services.

In testing 36 contracts, auditors did not identify contracts for which the University appeared to have less-than-arms-length relationships with the vendors associated with those contracts. Auditors also tested 15 closed contracts and verified that the University’s payments to the vendors associated with those contracts did not exceed the original or amended contract amounts.

Vendor Selection and Contract Advertising

The University received bids from multiple vendors for 30 of the 36 contracts tested. For 18 (60 percent) of those 30 contracts, the University did not maintain required documentation showing how it considered the selection criteria specified in the proposals, bids, or quotes. Therefore, auditors could not determine whether the University used the criteria specified in the proposals, bids, or quotes to select the vendors for those 18 contracts. The University’s purchasing manual states that if the University procures a contract through competitive bidding using considerations other than price, the considerations must be specifically stated in the bid and must be measured and documented during the evaluation process.

The University complied with its bid solicitation requirements for 33 (92 percent) of 36 contracts tested. However, for 3 (8 percent) of 36 contracts tested, the University did not comply with bid solicitation requirements. Specifically:

One of the contracts auditors tested was for $30,916, but the University did not advertise the request for proposal in the Electronic State Business Daily. For purchases that exceed $25,000, the University’s purchasing manual


July 2012 Page 6

requires the purchasing department to develop a request for proposal and advertise it in the Electronic State Business Daily, the electronic procurement marketplace available on the Internet and maintained by the Office of the Comptroller of Public Accounts.

For one contract that auditors tested, the University did not solicit any bids from historically underutilized business (HUB) vendors; for another contract auditors tested, the University solicited a bid from only one HUB vendor. The amounts of those contracts were $15,000 and $18,648, respectively. For purchases between $10,000 and $25,000, the University’s purchasing manual requires the purchasing department to solicit a minimum of three formal bids, at least 50 percent of which (which the purchasing manual defines as two) must be from HUB vendors.

Approval of Contracts and Change Orders

The University did not consistently follow its review and approval process to properly sign, review, and authorize contracts. The University’s policy manual states that (1) contracts that exceed $10,000 must be signed by the vice president of business affairs and finance and (2) contracts that exceed $50,000 must also be approved by the general counsel or authorized by the board of regents. While the University’s policies and procedures have specified dollar amounts for the levels of contract review and approval, the University did not have a system to help ensure that its contracts are properly signed, reviewed, and authorized.

For 16 (46 percent) of 35 contracts tested, the University did not have documentation indicating that the contracts were properly signed, reviewed, or authorized. (The remaining contract in auditors’ test sample was still in negotiations at the time of testing.) Specifically:

Eleven contracts each exceeded $50,000, but the University did not have documentation that those contracts were reviewed by the general counsel. The board of regents also did not approve those 11 contracts. Those 11 contracts ranged from $58,250 to $2,217,897 and totaled $3,427,611.

Three contracts each exceeded $10,000, but were not signed by the vice president of business affairs and finance as required. One of those contracts was for $43,756 and was not signed by any University official. The other two contracts were for $39,400 and $18,648.

The University was not able to locate copies of a $45,293 contract for air duct cleaning and a $15,000 contract for medical services. (The medical services contract was one of the contracts discussed above for which the University did not solicit bids from HUB vendors).


July 2012 Page 7

In addition, 13 (36 percent) of the 36 contracts tested had change orders; however, the University’s vice president of business affairs and finance did not approve the contract change orders as required by policy.

Recommendations


Follow its contracting policies and procedures for bidding, solicitation, and vendor selection.

Develop and implement a system to help ensure that all contracts, change orders, and amendments are properly reviewed and approved.

Maintain copies of all contracts.


As a part of its vendor evaluation process, the university will create a form that documents compliance with requirements of the bid solicitation process. The Director of Purchasing acknowledges that in the past he has awarded contracts to the vendor who submits the lowest bid when all vendors bidding the contract met standard specifications. In the future, the university will ensure that contracting processes will be fully documented. The university will review its solicitation requirement for historically underutilized businesses (HUB) and ensure that it follows state policy.

In January 2011 the university engaged the services of its first full-time General Counsel. The General Counsel subsequently has developed specific procedures for executing contracts, and these are being implemented. The procedures address the monitoring of contracts and contract change orders and the process through which approval is granted. The procedures include a routing form to document that the appropriate administrators have reviewed a contract or change order prior to the university’s signing the agreement. A space is provided for administrators to authorize the transaction by recording their signatures. Standard contract templates are approved by the General Counsel. The administration will present its recommendations for modifying the university’s contract authorization policy to the Board of Regents for their formal approval in August 2012. A training session for university personnel has been developed by the General Counsel. A contract administrator also has been named. In addition, contract management software has been purchased that will assist personnel in reviewing, monitoring, and approving university contracts. It is currently being installed (June 2012).

The practice of allowing staff to sign change orders has ceased. In all cases in which someone other than the Vice President for Business Affairs and Finance


July 2012 Page 8

(VPBF) authorized a change order, the VPBF was aware that a change order was being processed. Furthermore, in these instances, files on contracts related to the change orders contained extensive documentation for support of the change. The administration further notes that in no instance did a change order increase the scope or cost of the project. The Vice President for Business Affairs and Finance will approve and sign contracts as required by university policy.

The administration will ensure that copies of all contracts that have been executed are retained.

Implementation Dates: Distribute contract procedures and routing sheet to campus – May 2012 Install contract administration software – June 2012 Propose contract policy changes to Board of Regents – August 2012 Provide contract training to university employees – ongoing

Responsible Persons: Vice President for Business Affairs and Finance General Counsel Director of Purchasing/Contract Administrator

Chapter 1-C

The University Should Improve Controls Over Its Monitoring of Procurement Card Purchases

The University had adequate controls to help ensure that authorized users made procurement card purchases, cardholders’ supervisors reviewed those purchases, those purchases were supported by a receipt or an invoice, and the University coded those purchases correctly in its accounting system. However, the University should improve its monitoring of procurement card purchases to help ensure that cardholders comply with single purchase limits.

For 30 (25 percent) of 119 individual procurement card purchases that auditors tested, which represented 14 purchase transactions, it appeared that the cardholder split a purchase into multiple purchases to circumvent single purchase limits. Those 30 individual purchases totaled $24,953. Auditors tested for potential instances of split purchases when cardholders had made multiple purchases from the same vendor on the same day or on consecutive days. The University’s procurement card program guide states that procurement cardholders may not split a purchase to circumvent the established single purchase limitations.

The University performed monthly reviews of cardholder purchases for unauthorized and unsupported purchases and for potential split purchases made from the same vendor on the same day to circumvent single purchase limits.


July 2012 Page 9

During its monthly reviews of procurement card purchases, the University had appropriately identified 12 (40 percent) of the 30 individual purchases that auditors identified as potential split purchases. The University notified the cardholders of their noncompliance with the procurement card program policies.

In addition, 6 (43 percent) of the 14 purchase transactions, which were comprised of 13 individual purchases, were for more than $2,000 and, therefore, the University’s purchasing department should have processed the purchase through a purchase order. The University’s purchasing manual states that purchases exceeding $2,000 must be processed through a purchase requisition sent to the purchasing department for competitive bidding and processing of a purchase order. Of the 6 purchase transactions auditors identified exceeding $2,000, the University appropriately identified 1 (17 percent) as a purchase that was required to be submitted to the purchasing department through a purchase requisition during its monthly reviews of procurement card purchases. The University notified the cardholder of the noncompliance with procurement card program policies.

Recommendations


Develop and implement more specific policies and procedures related to its review of procurement card purchases for split purchases to include reviewing for purchases made from the same vendor for the same goods or services on consecutive days.

Comply with its purchasing policies relating to processing required purchases through its bidding procedures.


The Purchasing Department currently provides annual training for all current procurement card holders and all new card holders. In the future, the university will intensify its efforts to train university personnel in these matters. The procurement card coordinator will continue to monitor procurement card use and give special attention to the potential for split-purchases. The administration previously has reviewed the procurement card program. Each vice president was asked to consider the justification for assigning procurement cards to persons in his or her area to determine if some might be eliminated. Some were. The administration will continue to review the matter and determine if the number of card holders might be further reduced.


July 2012 Page 10

The university’s Purchasing Department will continue to

provide appropriate training for university personnel and to inform departments of the importance of following proper procurement card procedures, including the prohibition against split purchases,

inform departments not following university procedures for procurement card use of the infraction(s)and require corrective action, and

notify the vice president responsible for an area in which an individual or department repeatedly violates university purchasing procedures and request corrective action, including revocation of procurement card privileges.

Implementation Dates: Train university employees – ongoing Administration will review the number of card holders and Recommend necessary changes – August 2012 Develop more specific policies and procedures related to a review of procurement card purchases for split purchases – January 2013

Responsible Persons: Vice President for Business Affairs and Finance Director of Purchasing/Contract Administrator


July 2012 Page 11

Chapter 2

The University Had Controls to Help Ensure That Financial Information Was Accurate, Complete, Reliable, and Timely, But It Should Improve Controls Over Donations and Financial Reporting

The University generally had implemented financial and administrative controls over its donations, financial reporting, and payroll information to help ensure that financial information was accurate, complete, reliable, and timely. However, the University should improve certain controls over donations and financial reporting.

Chapter 2-A

The University Disbursed Scholarship Funds in Accordance with Donors’ Intentions, But It Should Improve Controls Over Recording Donations

Disbursements

The University disbursed scholarship funds in accordance with donors’ intentions. Auditors tested scholarship funds the University awarded between September 1, 2010, and December 31, 2011, and determined that the University awarded the scholarships with the proper approvals and to recipients who met the requirements.

In addition, the University distributed funds donated to its annual fund in accordance with the donors’ intentions. Auditors tested 30 distributions from the annual fund totaling $19,935 and determined that the University correctly made distributions to the various programs and scholarship funds that donors had specified.

Donations Received

The University reported that it received $3,030,962 in donations in fiscal year 2011. Auditors tested $1,416,519 in donations the University received between September 1, 2010, and December 31, 2011. The University did not consistently deposit or record donations or gifts-in-kind correctly in its accounting system. Specifically, the University:

Deposited 1 (2 percent) of 51 donations tested into the incorrect fund. That donation was part of a transaction that the University deposited incorrectly, which indicates a control weakness. The University coded the donation deposit to an agency fund instead of the quasi-endowment fund, and it did not verify the coding for accuracy. The University’s fiscal regulations and procedures state that all funds the University receives must be identified according to the type of revenue that they represent.


July 2012 Page 12

Gifts-in-kind

According to the University’s donation tracking system Gift Record Guide, “A Gift-in-Kind is a donation of goods or services for which you can easily assign a monetary value. Some examples of Gifts-in-Kind include furniture, computer equipment, and time donated by an accountant.”

Did not record 3 (23 percent) of 13 gifts-in-kind tested in its accounting system (see text box for information on gifts-in-kind). Those gifts were sculptures, office furniture, and gift cards totaling $24,100. The departments accepted the donations in compliance with University policy, but they did not communicate information about the donations to the business services office so that it could make appropriate entries into the accounting system.

The University’s policies and procedures for accepting gifts-in-kind do not include requirements for providing information about those donations to the business services office or entering information about those donations into the University’s accounting system. Governmental Accounting Standards Board Statement No. 33, Accounting and Financial Reporting for Nonexchange Transactions, states that “recognition of nonexchange transactions in the financial statements is required unless the transactions are not measurable (reasonably estimable) or are not probable of collection. Transactions that are not recognizable because they are not measurable should be disclosed.” (See Chapter 3-A for additional information regarding the University’s accounting for donated assets in the State Property Accounting system.)

Recorded 6 (12 percent) of 51 donations tested using the correct fund but the wrong account number in its accounting system. Those six donations totaled $5,525. The department that deposited those donations was not authorized by the University’s policies and procedures to do so, and the University did not verify the deposit for accuracy. The University’s policy for gifts and donations states that, with the exception of gifts to athletics, the alumni association, and the annual fund, the director of donor services and special projects shall be responsible for receiving, acknowledging, and distributing to the appropriate department or program all gifts of cash, equipment, material, or property that private donors or organizations make to the University.

Recording donations incorrectly in the University’s accounting system can result in donations being disbursed for purposes other than those specified by the donors and inaccuracies in the annual financial report.

In addition, access to the network drive on which the University stores electronically scanned donation information appeared appropriate. However, the University did not appropriately redact portions of that information for 13 (43 percent) of 30 additional donations tested as its policy requires. Auditors provided the University with more specific information to address that issue.


July 2012 Page 13

Donations Tracking System

Auditors determined that the users of the University’s donations tracking system included current employees or student workers; however, the University should improve controls over its donations tracking system to improve segregation of duties. The University also should improve administrator-level access controls, documentation of its user access reviews, the use of generic user IDs, and the designation of backup personnel to meet Texas Administrative Code requirements. Specifically, for the donations tracking system, the University:

Did not segregate duties between system security administration and user activities. The administrator was both a user and a security administrator.

Had not designated a back-up individual for security and administrative activities.

Had granted inappropriate security administrator access to six employees.

Did not have written documentation for establishing user access and for its periodic reviews of user access.

Allowed three employees to use the same generic user ID.

Title 1, Texas Administrative Code, Section 202.75, requires higher education institutions to (1) manage access to information resources to ensure authorized use, (2) ensure that each user of information resources shall be assigned a unique identifier, (3) appropriately modify or remove user’s access authorization when the user’s employment or job responsibilities within the institution of higher education change, and (4) create, distribute, and implement information security policies.

The control weaknesses discussed above could lead to inappropriate handling of donations, inconsistent maintenance and review of system security, and the inability to ensure individual accountability for the use of the donations tracking system. Those weaknesses also could impair the University’s ability to account for donations effectively.

Recommendations


Deposit donations into the correct fund.

Record donations and gifts-in-kind correctly in its accounting system.

Revise its gifts-in-kind policies and procedures to include requirements for providing information about those donations to the business services office


July 2012 Page 14

and entering information about those donations into the University’s accounting system.

Enforce its policies and procedures that permit only authorized departments to process donations.

Safeguard data in accordance with its policies and procedures.

Implement controls over user access, segregation of duties, documentation of user access reviews, use of generic IDs, and designation of backup personnel to help ensure that its donation tracking system complies with the Texas Administrative Code.


The administration agrees that the processing of donated funds is an important matter. As the administration anticipated, the audit did not find any instances of mishandling or misuse of donated funds. The cases cited were errors in posting and were isolated and unusual. The university will communicate to its personnel the importance of using proper coding on deposits submitted to the Business Office.

The Raiser’s Edge, the university’s donation tracking system, is not a part of the institution’s business operations or financial accounting system. The sole purpose of the Raiser’s Edge is to track donors and alumni. Recommended actions to address weaknesses in the system’s control mechanism have been or will be initiated. These include the following:

One person has been designated as system security administrator. A second has been designated as a back-up to the system security administrator.

Procedures for user access will be defined and documented. A review of persons having access to the program will be undertaken at the end of each fall, spring, and summer term.

A review of levels of access to the system and controls over it has been made. Personnel for whom access was not deemed essential were removed from the list of users.

The use of generic I.D.’s for those having access to the system has been discontinued. Employees whose work requires access to the system are issued individual user I.D.’s.

In addition, an Adobe Redaction tool is being used to redact donation instruments before a donation is entered into the tracking system. A routing form has been created for use with all gifts-in-kind and includes a description of the gift, its


July 2012 Page 15

value, and the use of the gift. Gifts-in-kind will be recorded in the general accounting system and, as appropriate, in the property accounting system.

Implementation Dates: Implement controls noted – accomplished in June 2012 Develop routing sheet for all gifts-in-kind – June 2012 Enforce existing policies and procedures permitting only authorized departments to process donations – ongoing Review gift and donation policies, including gifts-in-kind, prior to August 2012 Board meeting

Responsible Persons: Vice President for University Development Director of the Annual Fund Vice President for Business Affairs and Finance Controller

Chapter 2-B

The University Should Improve Controls Over Certain Financial Processes

The University generally had appropriate controls to help ensure that it reported selected accounts correctly on its fiscal year 2011 annual financial report. However, it did not (1) make corrections to address discrepancies identified through its monthly account reconciliations in a timely manner, (2) consistently obtain signatures on journal entries to ensure proper segregation of duties, and (3) obtain required approvals on budget transfer requests.

Annual Financial Report

The University’s fiscal year 2011 annual financial report was supported by the accounting system’s data for selected line items. Auditors judgmentally selected 28 line items to review, and all 28 lines items tied to the data in the University’s accounting system with no material differences.

Annual financial report lines items selected for review related to prepaid assets, deferred revenue, cash in bank, bonds payable, investments, capital assets and accumulated depreciation, invested in capital assets net of related debt, student tuition and fees, State and Higher Education Assistance Funds appropriations, gift revenue, and salaries and wages. (See Chapter 2-A for additional information on donations and Chapter 3 for additional information on assets.)

Reconciliations

Auditors tested a sample of 10 monthly account reconciliations, which consisted of four reconciliations of the accounting system with the Uniform Statewide Accounting System (USAS), three reconciliations of the accounting system with


July 2012 Page 16

the payroll account, and three reconciliations of the accounting system with the general operating bank account.

The University had appropriate controls to help ensure that its reconciliations were supported, that it completed the reconciliations in a timely manner, and that the preparer and reviewer generally signed each reconciliation. The University appropriately identified discrepancies but did not have appropriate controls to help ensure that it corrected those discrepancies in a timely manner. Specifically, for the December 2011 reconciliations:

For the payroll reconciliation, the University identified 12 discrepancies totaling $15,635 that it did not correct within 90 days after it identified them. Specifically:

Two of those discrepancies had been outstanding for less than 1 year.

Nine of those discrepancies had been outstanding for between 1 and 4 years.

One of those discrepancies had been outstanding for more than 4 years.

For the general operating bank account reconciliation, the University identified 7 discrepancies totaling $26,148 that it did not correct within 90 days after it identified them. Specifically:

Two of those discrepancies had been outstanding for less than 1 year.

One of those discrepancies had been outstanding for between 2 and 3 years.

Three of those discrepancies had been outstanding for between 5 and 7 years.

One of those discrepancies had been outstanding for more than 7 years.

While the University had appropriate segregation of duties and prohibited the reconciliation preparer from making any correcting entries, the University did not monitor the reconciliation process to help ensure that it corrected the discrepancies in a timely manner. Such monitoring is important because it helps to ensure that the University takes necessary corrective actions.


July 2012 Page 17

Journal Entries

The University had controls to help ensure that the journal entries it made to its accounting system were supported by documentation; had reasonable explanations; and, for manual journal entries, included the signatures of the individual who posted the manual journal entries in the University’s accounting system (see text box for information about journal entries).

However, the University did not have appropriate controls to help ensure that the supporting documentation for journal entries consistently included the preparer or approver signatures. Having signatures that show the segregation of duties is important because the University’s accounting system does not have controls to prevent the entry of an unauthorized journal entry. Additionally, the audit trail information that the University’s accounting system maintains does not track the approver of a journal entry. For the 13 journal entries tested:

One manual journal entry for $22,648,259 did not include the approver signature.

One manual journal entry for $24,480,808 did not include the preparer and approver signatures.

Three automated journal entries totaling $60,414,967 did not include the preparer and reviewer signatures. That occurred because information for automated journal entries is maintained in electronic files and the University did not maintain documentation showing the segregation of duties.

The University did not have policies and procedures over its journal entry process to help ensure that it processed transactions consistently and maintained segregation of duties. That increases the risk that unauthorized transactions could be processed, financial data could be unreliable, and funds could be misappropriated. Segregating duties such as reporting, reviewing, and approving is important because it helps to reduce the risk of fraud.

Budget Transfers

The University’s documentation for all 43 budget transfers tested included reasonable explanations and matched the amounts the University recorded in its accounting system. However, the University did not have controls to help ensure that it made budget transfers in accordance with its policy. Specifically, 10 (23 percent) of the 43 budget transfers tested did not have required approvals. That occurred because the University did not follow its budget request policy.

Journal Entries

According to University staff, the University records journal entries using two methods: manual and automated. Specifically:

The University documents a manual journal entry using a journal entry form that a preparer completes, that a reviewer approves, and that a third party posts to the University’s accounting system.

An automated journal entry is a large transaction that a preparer documents in a spreadsheet and that an approver then authorizes. After the approver authorizes the transaction, the preparer uploads a journal entry into the University’s accounting system.


July 2012 Page 18

The policy requires the budgetary unit head, senior administrator, and vice president of business affairs and finance to approve changes in budget categories and additional appropriations.

Recommendations


Research the cause of the discrepancies identified through its reconciliations and make appropriate corrections in a timely manner.

Develop and implement a policy pertaining to the journal entry process, perform and document its reviews of all journal entries, and document preparer and reviewer signatures for all journal entries.

Align its budget transfer process with its policy, and obtain required approvals on all budget transfers.


The administration agrees with the finding. The administration notes that the university Controller regularly tracks and monitors all bank reconciliations. The Controller and Vice President for Business Affairs and Finance will ensure that any corrections necessary occur within 60 days. Any corrections not completed within 60 days will be reported to the Vice President for Business Affairs and Finance. All discrepancies identified in the audit report will be corrected no later than August 31, 2012. Any discrepancies not corrected will be reported to the Vice President for Business Affairs and Finance.

The university will develop procedures for recording journal entries to ensure that transactions are processed in a consistent manner and that separation of duties is maintained. These procedures will include requiring a signed cover sheet authorizing a financial transaction.

The university will review its budget policy and requirements for approving transfers of funds. The goal will be to simplify the process through which approvals at various levels are obtained. Once the process is refined, it will used in all transactions involving budget transfers. As noted in the university’s response to Chapter 1-A, in instances in which the Business Office acted on the basis of telephone communication with the head of a budgetary unit, typically the budgetary head requested transferring funds from one line in an account to another line in the same account. Authorized purchases made at the beginning of a new fiscal year and dependent upon the use of carry-over funds from the previous year contributed to the number of override requests. Sometimes full funding of accounts for a new fiscal year is not complete until 45 days after the


July 2012 Page 19

end of the succeeding fiscal year. In the future, all transfers must be executed in writing.

Implementation Dates: Correct reconciliation exceptions identified in audit – August 2012 Correct future reconciliation exceptions – ongoing Review procedures for journal entries and budget transfers - August 2012

Responsible Persons: Vice President for Business Affairs and Finance Controller

Chapter 2-C

The University Had Appropriate Accounting Controls Over Payroll

The University had controls to help ensure that it processed its payroll accurately and appropriately. Additionally, the University reported payroll expenditures accurately on its fiscal year 2011 annual financial report.

Payroll

Auditors tested a sample of 50 payroll payments the University made from September 2010 through December 2011 and determined that:

There was accurate employee information in the payroll system for those payments.

The payments were for active University employees.

The University used the correct account codes for those payments in its accounting system.

The payments were for the correct amount and pay period.

The University had evidence of payment authorization.

In addition, a payroll supervisor appropriately reviewed all 45 paysheets tested.

Auditors also analyzed the December 2011 payroll data to determine whether the University made payments to only active employees. Auditors verified that, for the December 2011 payroll, the University appropriately made all payroll-related payments to 1,250 active University employees. Payroll-related payments consisted of salaries and fringe benefits.


July 2012 Page 20

Financial Reporting

The University correctly reported payroll expenditures on its fiscal year 2011 annual financial report. Auditors tied the payroll data in the University’s accounting system to the accounting system’s general ledger data and the fiscal year 2011 annual financial report and identified no material differences.


July 2012 Page 21

Chapter 3

The University Had Controls to Safeguard Assets, But It Should Improve Certain Controls Over Accounting for Assets

The University had controls to safeguard its assets. Auditors tested 53 assets and determined that for the applicable assets tested (1) the assets had property tags that matched information in the State Property Accounting system, (2) the assets existed and were generally in the location specified in the State Property Accounting system, and (3) the University had categorized those assets correctly in the State Property Accounting system. In addition, all of the 47 asset disposals that auditors tested had the correct asset description and disposal date in the State Property Accounting system and had proper authorizations for disposal; the University also had correctly removed those assets from the State Property Accounting system.

In addition, the University limited high-level user access (access enabling the modification of information) to the State Property Accounting system to appropriate personnel. However, the University should improve controls related to segregating duties over inventory management, maintaining adequate supporting documentation, and accounting for donated assets.

The University accurately valued its construction in progress for fiscal year 2011. The University also correctly reported capital assets, such as buildings and facilities, on its fiscal year 2011 annual financial report.

Chapter 3-A

The University Should Improve Inventory Controls in the Areas of Segregation of Duties, Maintaining Documentation, and Accounting for Donated Assets

Segregation of Duties

The University did not segregate the duties of maintaining property, conducting inventory, and updating the State Property Accounting system. The property manager conducted the University’s annual inventory, maintained the inventory records, and updated the State Property Accounting system. The property manager also was the only staff member with access to update the State Property Accounting system, and the University did not have a designated backup individual for the State Property Accounting system. In addition, there was no management oversight or review of the property manager’s duties, and there was no formal communication of missing inventory items to management.

The State Property Accounting (SPA) Process User’s Guide states that agencies and higher education institutions should maintain adequate internal control procedures. Inadequate controls increase the risk of inventory theft and improper or inaccurate accounting of assets.


July 2012 Page 22

Maintaining Documentation

The University did not always maintain documentation sufficient to support information in the State Property Accounting system. Specifically:

Five (9 percent) of 53 assets tested had insufficient or no documentation to support the asset values in the State Property Accounting system. The recorded values of those five assets totaled $2,271,941.

Four (8 percent) of 53 assets tested did not have documentation to support the property number, asset description, in-service date, or acquisition method in the State Property Accounting system. The recorded values of those four assets totaled $1,816,941.

The records retention policy in the State Property Accounting (SPA) Process User’s Guide requires agencies and higher education institutions to maintain property records for the life of each asset and for a period not less than three fiscal years after the disposal of each asset. Without proper controls over asset management, the University could report assets incorrectly and may not properly account for assets.

Accounting for Donated Assets

The University did not record two donated sculptures valued at a total of $22,000 in the State Property Accounting system. The sculptures were donated to the University, but the department that accepted the sculptures did not communicate information about the sculptures to the University’s property manager so that the State Property Accounting system could be updated (see Chapter 2-A for more information about the University’s gifts-in-kind donations).

Texas Government Code, Section 403.2715, states that the property records of a higher education institution must accurately reflect the personal property possessed by the higher education institution. Without proper communication regarding the receipt of donated assets, assets may be understated in the University’s records and reports and omitted from annual inventories.

Recommendations


Implement proper segregation of duties for conducting inventory and updating the State Property Accounting system.

Assign at least one backup individual to be responsible for maintaining information in the State Property Accounting system.


July 2012 Page 23

Maintain asset documentation to comply with State Property Accounting system requirements and support asset information in the State Property Accounting system.

Record all assets in the State Property Accounting system.


The administration agrees that controls are in place to safeguard fixed assets (inventory). A department member is responsible for maintaining the inventory. The role of the property manager is to set a time and date to review the inventory with the staff person and to check off items listed on the inventory sheets in the presence of the department member. The department member expresses agreement with the findings of the property manager by signing the inventory sheet. The property manager maintains inventory records and routinely updates the State Property Accounting (SPA) system. The Controller continually reviews inventory plans and examines the property manager’s work papers in preparation for compiling a financial report. The property manager reports any missing inventory to an appropriate administrator and, as appropriate, to campus police. Missing items are included in the manager’s year-end report. These controls ensure that the university’s fixed assets are properly safeguarded. Because of staffing constraints, the property manager will continue to be responsible for maintaining inventory records and updating the SPA system. A qualified staff member whose responsibility will be to maintain information in the SPA system will be designated as a back-up for the property manager.

Records of the property (fixed assets) referred to in the report were destroyed in accordance with state guidelines in place prior to 2004, the year in which the SPA User’s Guide was first issued. The university will recreate the records and make corrections as required under current guidelines.

As noted in Chapter 2-A, a gift-in-kind routing sheet has been developed. It includes information about the recording of gifts-in-kind in the university’s inventory. The routing sheet requires the signature of the Property Manager as verification that the gift-in-kind has been added to the university’s list of fixed assets.

Implementation Dates: Ensure appropriate separation of Property Manager Duties – June 2012 Develop routing sheet for all gifts-in-kind – June 2012 Ensure property records are complete and accurate - ongoing


July 2012 Page 24

Responsible Persons: Vice President for University Development Director of Annual Fund Vice President for Business Affairs and Finance Controller Assistant Controller (Property Manager)


July 2012 Page 25

Chapter 3-B

The University Correctly Reported Its Construction in Progress and Capital Assets for Fiscal Year 2011

Construction in Progress

Based on results of auditors’ tests, the University accurately valued and reported its construction in progress for fiscal year 2011. The asset values associated with all three of the construction projects that auditors tested were supported by information in the University’s accounting system, and the University reported those values correctly in its fiscal year 2011 annual financial report. Specifically:

The University completed two of the construction projects tested totaling $534,819 in fiscal year 2011, and the University appropriately moved them from the construction-in-progress category to the finished assets category.

The third construction project tested totaling $270,547 remained open, and the University correctly reported it in the construction-in-progress category in fiscal year 2011.

The University’s property manager monitors project costs in the University’s accounting system and coordinates with the facilities department to determine when projects are ready to be moved from the construction-in-progress category to the respective finished assets in the State Property Accounting system. The University transfers projects from the construction-in-progress category when they are substantially complete, which the University defines as when all project costs (excluding contractor retainage) have been expended. This complies with the State Property Accounting (SPA) Process User’s Guide (see text box).

Financial Reporting

The University correctly reported capital assets, such as buildings and facilities, on its fiscal year 2011 annual financial report. Auditors compared the data in the State Property Accounting system to the capital assets item in the fiscal year 2011 annual financial report and identified no material differences.

Construction in Progress

Construction in progress should be reclassified to the appropriate capital asset category when one the following has occurred:

Execution of substantial completion contract documents.

Occupancy.

The asset is placed into service.

Source: State Property Accounting (SPA) Process User’s Guide, Chapter 4.


July 2012 Page 26

Chapter 4

The University Had Adequate Controls to Protect Data in Information Systems, But It Should Improve Certain Controls Over Physical Access, Data Backups, and User Access

The University had adequate controls to protect data in the information systems that auditors tested from unauthorized alteration or improper use.1

Physical Controls

However, it should improve physical controls for its computer server room, storage of data backups, and disaster recovery plan. Additionally, the University should improve controls over its periodic reviews of user access to its accounting system.

The University should improve physical controls for its computer server room and the storage of data backups. Title 1, Texas Administrative Code, Section 202.73, requires higher education institutions to document and manage physical access to mission-critical information resources facilities to ensure the protection of information resources from unlawful or unauthorized access, use, modification, or destruction. Auditors provided the University with specific information to address the issues identified in physical controls and the storage of data backups.

Disaster Recovery Plan

The University’s disaster recovery plan was documented, and the University regularly reviewed that plan. In addition, the disaster recovery plan met some of the requirements of the Texas Administrative Code (see text box).

However, the University’s disaster recovery plan was not complete, and it included outdated information. In addition, the plan did not include a list of systems and third-party software. The list of key personnel in the plan also was outdated, and the University had not removed pages that were no longer relevant from the plan. The University also did not have documentation for its annual test of that plan.

Having an outdated disaster recovery plan could delay returning the University to full computer operations following a disaster.

1 The information systems that auditors tested included the donations tracking system discussed in more detail in Chapter 2, the State Property Accounting system discussed in more detail in Chapter 3, and the accounting system discussed in Chapter 4.

Excerpt from Title 1, Texas Administrative Code, Section 202.74,

Disaster Recovery Plans

Each institution of higher education shall maintain a written disaster recovery plan for major or catastrophic events that deny access to information resources for an extended period. Information learned from tests conducted since the plan was last updated will be used in updating the disaster recovery plan. The disaster recovery plan will:

Contain measures which address the impact and magnitude of loss or harm that will result from an interruption;

Identify recovery resources and a source for each;

Contain step-by-step implementation instructions; and

Include provisions for annual testing.


July 2012 Page 27

Accounting System

The University had user access controls over its accounting system to limit access to appropriate personnel and properly segregate duties. The University also had a policy that required biannual user access reviews for its network, and the University had evidence that it performed periodic reviews. However, the University did not have written procedures that described how the user access review process should be performed for its accounting system and that system’s associated database, server, and network.

Title 1, Texas Administrative Code, Section 202.71, states that higher education institutions should develop policies and establish procedures and practices necessary to ensure the security of information resources assets against unauthorized or accidental modification, destruction, or disclosure. Without written documentation of user access review procedures, the University could perform reviews inconsistently and expose its accounting system to unauthorized use.

Recommendations


Improve physical controls for its computer server room, and improve controls for the storage of data backups.

Ensure that its disaster recovery plan complies with Texas Administrative Code requirements.

Document the procedures for its periodic reviews of system access for its accounting system and that system’s database, server, and network.


In June 2012 the university installed humidity sensors in the room in Memorial Hall housing the university’s computer, as recommended in the report. The university also will implement recommendations relating to issues identified as control of physical access and the storage of backup data.

Furthermore, the university will develop a complete disaster recovery plan in accordance with Title 1 of the Texas Administrative Code, Section 202.74 and update its inventory of computer systems, third-party software, and list of key personnel responsible for implementing the plan. The disaster plan will be tested yearly, and the results will be documented.

The university also will develop and implement written procedures describing the review process for user access of the university’s accounting system.


July 2012 Page 28

Implementation Dates: Install humidity sensors in computer server room – June 2012 Improve physical controls for room housing the computer server and improve controls for the storage of backup data – December 2012 Ensure disaster recovery plan complies with Texas Administrative Code requirements – October 2012 Develop and implement written procedures for periodic review of user access system for the accounting system, including associated databases, server, and network – 11/30/12

Responsible Persons: Vice President for Administrative and Institutional Effectiveness Chief Information Officer Vice President for Business Affairs and Finance Associate Vice President for Facilities Services Controller


July 2012 Page 29

Appendix

Objective, Scope, and Methodology

Objective

The objective of this audit was to evaluate selected financial processes to determine whether Midwestern State University (University) has implemented a system of financial and administrative internal controls, and consider whether:

Accounting procedures and controls provide assurance of accurate, complete, reliable, and timely information.

Security controls within the University’s financial system provide assurance that critical data is protected from unauthorized alteration, loss, or improper use.

Controls are adequate and effective to provide reasonable assurance that assets are safeguarded.

The University complies with applicable laws and regulations.

Scope

The scope of this audit covered activities related to accounts payable, contracting, purchasing, procurement cards, assets, financial reporting, gifts and donations, and payroll and the related information systems between September 1, 2010, and December 31, 2011.

Methodology

The audit methodology included:

Analyzing accounting procedures and controls for accounts payable, contracting, purchasing, procurement cards, assets, financial reporting, gifts and donations, and payroll to verify the accuracy, completeness, and reliability of information.

Reviewing the University’s information systems controls over financial and administrative information to verify whether the University protects critical information from unauthorized alteration, loss, or improper use.

Analyzing and testing the effectiveness of controls to safeguard assets.

Identifying and testing compliance with applicable laws, regulations, and policies and procedures related to accounts payable, contracting, purchasing,


July 2012 Page 30

procurement cards, assets, financial reporting, gifts and donations, and payroll.

To determine the reliability of the data from the University’s accounting and donation tracking systems and the State Property Accounting system, auditors:

Reviewed the data for accuracy and completeness by reviewing data query language, verifying record counts, and performing a high-level review of data fields and contents for appropriateness.

Interviewed University staff with knowledge about the systems and the data.

Traced a sample of selected detailed transactions from the data to source documents.

Auditors determined that the data in those systems was sufficiently reliable for the purposes of this audit.

Information collected and reviewed included the following:

The University’s Policies and Procedures Manual.

The University’s Fiscal Regulations and Procedures.

The University’s Purchasing Manual.

The University’s procedures for payroll, gifts and donations, monthly financial statements, accounts payable, and information technology.

Data from the University’s automated accounting and donation tracking systems.

Data on assets from the State Property Accounting system.

Minutes from University board of regents’ meetings.

University internal audit reports.

University documentation, such as property records, gift and donation records, endowment agreements, scholarship agreements, purchase requisitions and purchase orders, receiving reports, contracts, invoices, annual financial report calculations, bank statements, procurement card statements and supporting receipts, payroll records, and accounting documents.


July 2012 Page 31

Procedures and tests conducted included the following:

Interviewed University staff to identify the University’s financial and operational processes, including financial and administrative internal controls.

Tested documentation related to accounts payable, contracting, purchasing, procurement cards, assets, financial reporting, gifts and donations, and payroll to verify compliance with University policies and procedures and state laws and regulations.

Reviewed the University’s assets as reported in the State Property Accounting system to determine whether the University accurately reported capital assets in its fiscal year 2011 annual financial report.

Conducted physical inventory of University assets and compared results with information in the State Property Accounting system and the University’s property records.

Tested general and application controls for the University’s network and information systems.

Performed a walk-through of the University’s computer server room to assess physical security.

Analyzed data from the University’s automated systems, including data related to accounts payable, payroll, procurement card purchases, and vendors.

Tested gifts and donations to the University to verify that the University deposited and used the gifts and donations in accordance with donors’ intentions and complied with applicable policies and procedures.

Reviewed monthly account reconciliations.

Reviewed selected line items from the University’s fiscal year 2011 annual financial report to determine whether they were supported by accounting system data and supporting documentation.

Tested journal entries and budget transfer documentation to determine whether they were appropriate, supported, and approved.

Criteria used included the following:

Title 1, Texas Administrative Code, Chapter 202.

Texas Education Code, Chapter 103.

Texas Government Code, Chapter 403.


July 2012 Page 32

Texas Constitution, Article 7, Section 17.

Comptroller of Public Accounts’ State Property Accounting (SPA) Process User’s Guide.

Comptroller of Public Accounts’ fiscal policies and procedures.

State Office of Risk Management business continuity plan guidelines.

Government Accounting Standards Board Statement No. 33 Accounting and Financial Reporting for Nonexchange Transactions.

Financial Accounting Standards Board Statement No. 116 Accounting for Contributions Received and Contributions Made.

American Institute of Certified Public Accountants Statement on Auditing Standards No. 109 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement.

University policies, procedures, manuals, and guidelines.

Project Information

Audit fieldwork was conducted from January 2012 through May 2012. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

The following members of the State Auditor’s staff performed the audit:

Jennifer Lehman, MBA, CIA, CGAP (Project Manager)

Jeannette Quiñonez, CPA (Assistant Project Manager)

Mark A. Cavazos

Rachel Lynne Goldman, CPA

Marlen Randy Kraemer, MBA, CISA, CGAP

Lisa M. Thompson

Tony White, CFE

Dennis Ray Bushnell, CPA (Quality Control Reviewer)

Verma Elliott, MBA, CPA, CIA, CGAP (Audit Manager)

Copies of this report have been distributed to the following:

Legislative Audit Committee The Honorable David Dewhurst, Lieutenant Governor, Joint Chair The Honorable Joe Straus III, Speaker of the House, Joint Chair The Honorable Steve Ogden, Senate Finance Committee The Honorable Thomas “Tommy” Williams, Member, Texas Senate The Honorable Jim Pitts, House Appropriations Committee The Honorable Harvey Hilderbran, House Ways and Means Committee

Office of the Governor The Honorable Rick Perry, Governor

Midwestern State University Members of the Midwestern State University Board of Regents Mr. Shawn G. Hessing, Chair Ms. Holly Allsup Mr. Michael Bernhardt Mr. J. Kenneth Bryant Ms. Tiffany D. Burks Mrs. Jane W. Carnes Mr. Charles E. Engelman Dr. F. Lynwood Givens Mr. Charles “Jeff” Gregg Mr. Samuel M. Sanchez Dr. Jesse Rogers, President

This document is not copyrighted. Readers may make additional copies of this report as needed. In addition, most State Auditor’s Office reports may be downloaded from our Web site: www.sao.state.tx.us. In compliance with the Americans with Disabilities Act, this document may also be requested in alternative formats. To do so, contact our report request line at (512) 936-9500 (Voice), (512) 936-9400 (FAX), 1-800-RELAY-TX (TDD), or visit the Robert E. Johnson Building, 1501 North Congress Avenue, Suite 4.224, Austin, Texas 78701. The State Auditor’s Office is an equal opportunity employer and does not discriminate on the basis of race, color, religion, sex, national origin, age, or disability in employment or in the provision of services, programs, or activities. To report waste, fraud, or abuse in state government call the SAO Hotline: 1-800-TX-AUDIT.

Documents

An Audit Report on Financial and Operational Processes at ... · Financial and Operational Processes at Midwestern State University SAO Report No. 12-044 iv . Auditors determined